Hello devs, Depending on the tools your teams use, here are more resources to address the Log4j vulnerability.
1. *Apache Log4j *: https://blogs.apache.org/foundation/entry/apache-log4j-cves 2. *JFrog* : https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/ 3. *Sourcegraph*: https://about.sourcegraph.com/blog/log4j-log4shell-0-day Cheers, Isaac Kamga. On Tue, Dec 14, 2021 at 06:54 Avik Ganguly <[email protected]> wrote: > Thank you, Michael, Aleks and Airsay! > > On Tue, Dec 14, 2021 at 12:48 AM Ed Cable <[email protected]> wrote: > >> Thank you Airsay for raising this to the community and their Aleks and >> Michael for clarifying in the exposure and impact for the Fineract >> community. >> >> Ed >> >> On Sun, Dec 12, 2021, 08:12 Isaac Kamga <[email protected]> wrote: >> >>> Thanks for the reassurance Michael. >>> >>> On Sat, Dec 11, 2021 at 09:16 Michael Vorburger <[email protected]> >>> wrote: >>> >>>> Independently confirming this - relax everyone! (As in, you can relax >>>> for Fineract. Don't relax for anything else you are responsible for - do >>>> check any other code you have, this security vulnerability is as bad they >>>> can get; the Internet is rightfully on fire about this.) >>>> >>>> https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot >>>> (which I found while working on >>>> https://github.com/vorburger/MariaDB4j/issues/509) has some related >>>> background; TL;DR: *"The log4j-to-slf4j and log4j-api jars that we >>>> include in spring-boot-starter-logging cannot be exploited on their own. >>>> Only applications using log4j-core and including user input in log messages >>>> are vulnerable."* >>>> >>>> Or, more technically: >>>> >>>> $ ./gradlew fineract-provider:dependencies | grep log4j >>>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>>> >>>> $ ./gradlew fineract-provider:dependencies | grep log4j-core >>>> (nothing) >>>> >>>> Hope this helps everyone to sleep well... ;-) >>>> >>>> >>>> On Sat, Dec 11, 2021 at 10:28 AM AirsayLongCon <[email protected]> >>>> wrote: >>>> >>>>> Hello Aleks >>>>> Thank you for the clarification >>>>> >>>>> On Sat, Dec 11, 2021, 10:17 AM Aleksandar Vidakovic < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> ... we are using SLF4J to abstract all the different logging >>>>>> frameworks (Commons Logging, Log4J etc.). Under the hood logging in >>>>>> Fineract is done by Logback and not Log4j. The only Log4j dependencies we >>>>>> have are those that "redirect" the logging to Logback. >>>>>> >>>>>> Here's also a vulnerability report for that specific dependency >>>>>> ("org.apache.logging.log4j:log4j-to-slf4j"): >>>>>> >>>>>> https://snyk.io/vuln/maven:org.apache.logging.log4j:log4j-to-slf4j >>>>>> >>>>>> FYI >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Aleks >>>>>> >>>>>> On Sat, Dec 11, 2021 at 2:10 AM AirsayLongCon < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hello community, >>>>>>> Are we are of the RCE reportedly affecting log4j >>>>>>> >>>>>>> If your organization uses the log4j library, you should upgrade >>>>>>> to log4j-2.1.50.rc2 immediately. >>>>>>> >>>>>>> >>>>>>> https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java >>>>>>> >>>>>> > Disclaimer: > > Privileged & confidential information is contained in this message > (including all attachments). If you are not an intended recipient of this > message, please destroy this message immediately and kindly notify > the sender by reply e-mail. Any unauthorised use or dissemination of this > message in any manner whatsoever, in whole or in part, is strictly > prohibited. This e-mail, including all attachments hereto, (i) is for > discussion purposes only and shall not be deemed or construed to be a > professional opinion unless expressly stated otherwise, and (ii) is not > intended, written or sent to be used, and cannot and shall not be used, for > any unlawful purpose. This communication, including any attachments, may > not be free of viruses, interceptions or interference, and may not be > compatible with your systems. You should carry out your own virus checks > before opening any attachment to this e-mail. The sender of this e-mail and > *Fynarfin Tech Private Limited* shall not be liable for any damage that > you may sustain as a result of viruses, incompleteness of this message, a > delay in receipt of this message or computer problems experienced. >
